Hmm. Certbot does not normally add those when using its renew command. It only should do that when getting the original cert. What command did you use to renew? Some people re-issue their original command rather than using the renew command.
Also, usually people only use the --nginx option when they want Certbot to update their nginx config for them. If you are updating your config manually why did you choose that option? Perhaps a different set of options would better suit you. Please show the original command you used to get the cert.
Also, would be helpful to know more about your environ. Please answer more questions from the form you should have been shown when posting
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version):